Getty Images/Nitat Termmee

The shift to remote work and cloud-computing services has made it harder to secure businesses from attack, especially in the face of ongoing shortages of skilled security staff, according to Gartner. But that's just part of the change the tech analyst firm foresees in the security landscape.

Special Feature

Securing the Cloud

Cloud computing is now a business essential, but keeping your data and applications secure is vital. Find out more about cloud security in this ZDNet special report.

Read now

"Organizations worldwide are facing sophisticated ransomware, attacks on the digital supply chain and deeply embedded vulnerabilities," said Peter Firstbrook, research vice president at Gartner. The analyst firm said that new challenges can be divided into three main groups: new responses to sophisticated threats; the evolution of security practices; and rethinking technology.

• Attack surface expansion

In particular, Gartner warned that enterprise attack surfaces -- the sum of the systems and access points that organisations need to defend -- are expanding. It points to risks associated with the Internet of Things, open-source code, cloud applications and complex software supply chains, and warns these have "brought organizations' exposed surfaces outside of a set of controllable assets". Organizations must look beyond traditional approaches to security monitoring, detection and response to manage a wider set of security exposures, said Gartner.

• Digital supply chain risks

Attacks on the software supply chain are hard to spot because companies often have few ways of checking software updates and have to take them on trust. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains.

"Digital supply chain risks demand new mitigation approaches that involve more deliberate risk-based vendor/partner segmentation and scoring, requests for evidence of security controls and secure best practices, a shift to resilience-based thinking and efforts to get ahead of forthcoming regulations," the analyst noted.

• Identity threat detection and response

Sophisticated threat actors are actively targeting identity and access management infrastructure, and credential misuse is now a primary attack vector. That's why companies are regularly urged to upgrade to multi-factor authentication, which makes it harder to use stolen or forged usernames and passwords. But Gartner warns that companies still need to do more to protect identity systems in order to detect when they are compromised and enable efficient remediation.

---

SPECIAL FEATURE: SECURING THE CLOUD

• Cloud computing dominates. But security is now the biggest challenge
• Cloud computing security: Where it is, where it's going
• Don't let your cloud cybersecurity choices leave the door open for hackers
• Why cloud security matters and why you can't ignore it

---

• Distributing security decision-making

Enterprise cybersecurity needs and expectations are maturing, and that means the chief information security officer can't do it all. Instead, cybersecurity decisions will have to be shared more broadly. Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026, while a single, centralized cybersecurity function will not be agile enough to meet the needs of digital organizations.

Gartner also listed three other trends:

• Beyond awareness
• vendor consolidation
• cybersecurity mesh architecture

The analysts also said that because human error continues to be a factor in many data breaches, this shows that traditional approaches to security awareness training are ineffective; organisations need to go 'beyond awareness' to invest in broader security behavior and culture programs. Organisations also need to be aware of ongoing security vendor consolidation and the emergency of new concepts such as cybersecurity mesh architecture, which helps companies to create an integrated security structure and posture to secure all assets, whether they're on-premises, in data centers or in the cloud.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next